Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?

abesh · Oct 25, 2024, 2:07 PM

@disi1 Nope, nothing in Floating :( Should I have any ? I am a total noob and have not figured out everything :) I am guessing the Floating rules apply to both interfaces ?

abesh · Oct 25, 2024, 2:09 PM

@disi1 Updated the rules screenshot. Had made some changes :)

viragomann · Oct 25, 2024, 2:13 PM

@abesh said in Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?:

However Pihole still shows some devices on my network bypassing it. I do not know how that might be possible ?

I'm wondering, what this screen shot tell us. How does pihole detect, what's bypassing it?

For e.g. my eTeckcity smart plug (192.168.86.62) has only the following connections showing up on pfTop ?

ditto
This doesn't show a DNS connection. So why do you think, it bypasses the NAT of port 53?

Also consider, that the NAT will only work, when you do masquerading on this connections. Otherwise you will run into asymmetric routing and the DNS requests will fail.

abesh · Oct 25, 2024, 2:21 PM

@viragomann said in Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?:

Also consider, that the NAT will only work, when you do masquerading on this connections. Otherwise you will run into asymmetric routing and the DNS requests will fail.

I don't know what Masquerading is, I am pretty new to pfSense. How would I mitigate this situation ?
I have these outbound NAT Rules running in hybrid mode :

viragomann · Oct 25, 2024, 2:24 PM

@abesh
Yes, that's it.

abesh · Oct 25, 2024, 2:29 PM

@viragomann I can see that mostly all DNS is going through the pihole so dunno why it is showing as those not going through the DNS ?

Raffi_ · Oct 25, 2024, 2:47 PM

@abesh Pi-hole will highlight devices not using it in red. I don't see any red entries on that first screenshot. Brown simply means that device has not had a query for over 24 hours. Did you see the legend at the bottom of that page which explains this? It could mean that a device has been turned off or not going out to the web, or it could mean that the device only contacts a specific server and it queried it at one point and then stored it in its local DNS cache. The devices could also be using DoH or DoT which your port 53 rules on the NAT will not catch.

You can keep the pfsense DNS settings at their default. You don't have to put it in forwarding mode. I would put that back the way it was. It is best to let pfsense do the queries to the root servers directly. Leave DNS servers as 127.0.0.1 and ::1. Then you have to set Pi-hole to use pfsense as the DNS server. Then in the DHCP settings of pfsense, make sure you enter the Pi-hole address as the DNS server so that any client that get an IP will be using Pi-hole unless they have their own settings which must manually be changed.

abesh · Oct 25, 2024, 2:49 PM

@Raffi_ Thanks a lot for the explanation of the Brown entries. That makes a lot of sense.
Actually I run unbound locally on pihole and use that. That's why the DNS resolver is in FW only mode.

Raffi_ · Oct 25, 2024, 3:01 PM

@abesh Oh I see. I never tried running unbound on Pi-hole. So you're doing the reverse of what I suggested? Which device is acting as your DHCP server? pfsense or Pi-hole? Is the DHCP server pushing the Pi-hole or pfsense IP for DNS?

abesh · Oct 25, 2024, 3:05 PM

@Raffi_ So pfSense is the DHCP server and it hands out the pihole's address as the DNS server. The pfSense DNS resolver is configured to forward queries to pihole only. I need the pfSense DNS to resolve local names. Since pihole is not the DHCP server only IPs show up in pihole logs instead of hostnames if I don't do it this way. Pihole queries it's own unbound server at 127.0.0.1#5335 and responds back to the DNS queries.

Raffi_ · Oct 25, 2024, 3:11 PM

@abesh Interesting sounds a little more round about. To be honest, I can't even see where to enable unbound on Pi-hole natively. Is that officially supported by the Pi-hole project? I'm curious because I must be missing that?

AndyRH · Oct 25, 2024, 3:19 PM

@Raffi_ The method is not much different than what I did.
https://forum.netgate.com/topic/156453/pfsense-dns-redirect-to-local-dns-server?_=1663853296484

There are plenty of docs on how to install unbound on PiHole. I did it and it works well.

abesh · Oct 25, 2024, 3:19 PM

@Raffi_ Yup, officially supported by Pihole. Here's the documentation : https://docs.pi-hole.net/guides/dns/unbound/

abesh · Oct 25, 2024, 3:21 PM

@AndyRH Hey Andy ! Yes, thanks to you I could get this up and running :)

viragomann · Oct 25, 2024, 3:23 PM

@abesh said in Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?:

The pfSense DNS resolver is configured to forward queries to pihole only. I need the pfSense DNS to resolve local names.

The DNS Resolver on pfSense will never get a request, since you forward any to the pihole.

abesh · Oct 25, 2024, 3:29 PM

@viragomann Agree. Maybe I should turn off the resolver and see what happens ?

viragomann · Oct 25, 2024, 3:34 PM

@abesh
You should rather redirect any traffic to pfSense. So it's treated by the DNS resolver and host overrides will take place, while other requests are forwarded to the pihole from the Resolver.

keyser · Oct 25, 2024, 3:37 PM

@abesh Seems your setup is done correctly. Have you considered that the IP of those sessions might be hardcoded into the missing device?
Otherwise it is likely some unknown DNS over HTTPS server you are not blocking - or vendor specific nameresolution method - in play.

abesh · Oct 25, 2024, 3:39 PM

@keyser That was my thought process as well. Seems like killing DoH is like playing whack-a-mole !!!

viragomann · Oct 25, 2024, 3:41 PM

@abesh
Hardcoded DNS IP will be redirected anyway.
DoH can be an issue. You should consider to block DoH using pfBlockerNG.